Devel is a Windows 7 machine that chains together two separate misconfigurations - an anonymous FTP server that writes directly into the IIS web root, and a completely unpatched Windows 7 kernel. The foothold requires no exploit at all, just the ability to upload a file and browse to it. The privilege escalation then exposes just how catastrophically unpatched this system is, with **16+ local exploit candidates** identified. It's a realistic representation of what a neglected Windows workstation looks like on the inside.

Buff is a straightforward Windows box that simulates a real-world scenario where a web application is running a known vulnerable CMS. Initial access is achieved by exploiting an unauthenticated file upload vulnerability in Gym Management System 1.0, which allows a malicious PHP webshell to be uploaded and executed. From there, a more stable reverse shell is established using netcat. Privilege escalation involves identifying a locally running CloudMe Sync service vulnerable to a stack-based buffer overflow, tunneling to it via chisel, and firing a modified exploit with a custom reverse shell payload - resulting in a shell as Administrator.

Optimum is a Windows Server 2012 R2 machine running an outdated HTTP file server on port 80. The attack involves two stages - initial foothold through a well-known Remote Code Execution vulnerability in Rejetto HttpFileServer 2.3 (CVE-2014-6287), followed by a local privilege escalation using MS16-032 - a race condition in the Windows Secondary Logon service - to climb from a low-privilege user to NT AUTHORITY\SYSTEM.

Legacy is a Windows XP machine exposing a critically vulnerable SMB service. Legacy runs Windows XP and is vulnerable to two separate SMB CVEs simultaneously - MS08-067 and MS17-010. The attack uses MS08-067, a stack buffer overflow in the Windows Server service triggered via a crafted RPC request, landing a SYSTEM shell with zero post-exploitation steps required.

Netmon is one of the most instructive machines in the Easy tier because it demonstrates something that pure exploit-focused machines don't - sensitive data exposure through misconfigured services is often more dangerous than unpatched software. The entire initial foothold comes from reading configuration backup files over anonymous FTP - no exploit required. The credential recovered from that backup then unlocks a network monitoring platform with authenticated RCE (CVE-2018-9276), which is abused to create a backdoor admin account and achieve SYSTEM-level access via WinRM. It's a realistic credential theft --> platform abuse chain that mirrors real-world incidents. What makes Netmon especially interesting is that you have two completely separate paths to root - a manual exploitation path through the PRTG notification system, and an automated path via a public exploit script. Both are documented here.

Blue is one of the most iconic HTB machines, demonstrating the devastating impact of MS17-010 (EternalBlue). The entire attack chain is a single CVE - scan, confirm vulnerability, exploit, land as SYSTEM.

Jerry is a straightforward Windows machine running an outdated Apache Tomcat instance. The attack path involves authenticating to the Tomcat Manager with default credentials, deploying a malicious WAR file for remote code execution, and landing directly as NT AUTHORITY\SYSTEM - no privilege escalation required.

In this Sherlock, I will be performing network traffic analysis involving a FTP brute-force attack, post-authentication reconnaissance, and sensitive file exfiltration.

In this Sherlock, you will learn how to identify and investigate ASREP-Roasting attacks from SECURITY event logs.

This is an Easy Active Directory challenge lab.